content/public/browser/child_process_security_policy.h - chromium/src - Git at Google

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef CONTENT_PUBLIC_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_
 #define CONTENT_PUBLIC_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_

 #include <string>

 #include "content/common/content_export.h"
 #include "url/gurl.h"
 #include "url/origin.h"

 namespace base {
 class FilePath;
 }

 namespace content {

 // The ChildProcessSecurityPolicy class is used to grant and revoke security
 // capabilities for child processes.  For example, it restricts whether a child
 // process is permitted to load file:// URLs based on whether the process
 // has ever been commanded to load file:// URLs by the browser.
 //
 // ChildProcessSecurityPolicy is a singleton that may be used on any thread.
 //
 class ChildProcessSecurityPolicy {
  public:
   virtual ~ChildProcessSecurityPolicy() {}

   // There is one global ChildProcessSecurityPolicy object for the entire
   // browser process.  The object returned by this method may be accessed on
   // any thread.
   static CONTENT_EXPORT ChildProcessSecurityPolicy* GetInstance();

   // Web-safe schemes can be requested by any child process.  Once a web-safe
   // scheme has been registered, any child process can request URLs whose
   // origins use that scheme. There is no mechanism for revoking web-safe
   // schemes.
   //
   // Only call this function if URLs of this scheme are okay to host in
   // any ordinary renderer process.
   //
   // Registering 'your-scheme' as web-safe also causes 'blob:your-scheme://'
   // and 'filesystem:your-scheme://' URLs to be considered web-safe.
   virtual void RegisterWebSafeScheme(const std::string& scheme) = 0;

   // More restrictive variant of RegisterWebSafeScheme; URLs with this scheme
   // may be requested by any child process, but navigations to this scheme may
   // only commit in child processes that have been explicitly granted
   // permission to do so.
   //
   // |always_allow_in_origin_headers| controls whether this scheme is allowed to
   // appear as the Origin HTTP header in outbound requests, even if the
   // originating process does not have permission to commit this scheme. This
   // may be necessary if the scheme is used in conjunction with blink's
   // IsolatedWorldSecurityOrigin mechanism, as for extension content scripts.
   virtual void RegisterWebSafeIsolatedScheme(
       const std::string& scheme,
       bool always_allow_in_origin_headers) = 0;

   // Returns true iff |scheme| has been registered as a web-safe scheme.
   // TODO(nick): https://crbug.com/651534 This function does not have enough
   // information to render an appropriate judgment for blob and filesystem URLs;
   // change it to accept an URL instead.
   virtual bool IsWebSafeScheme(const std::string& scheme) = 0;

   // This permission grants only read access to a file.
   // Whenever the user picks a file from a <input type="file"> element, the
   // browser should call this function to grant the child process the capability
   // to upload the file to the web. Grants FILE_PERMISSION_READ_ONLY.
   virtual void GrantReadFile(int child_id, const base::FilePath& file) = 0;

   // This permission grants creation, read, and full write access to a file,
   // including attributes.
   virtual void GrantCreateReadWriteFile(int child_id,
                                         const base::FilePath& file) = 0;

   // This permission grants copy-into permission for |dir|.
   virtual void GrantCopyInto(int child_id, const base::FilePath& dir) = 0;

   // This permission grants delete permission for |dir|.
   virtual void GrantDeleteFrom(int child_id, const base::FilePath& dir) = 0;

   // Determine whether the process has the capability to request the URL.
   // Before servicing a child process's request for a URL, the content layer
   // calls this method to determine whether it is safe.
   virtual bool CanRequestURL(int child_id, const GURL& url) = 0;

   // Whether the process is allowed to commit a document from the given URL.
   // This is more restrictive than CanRequestURL, since CanRequestURL allows
   // requests that might lead to cross-process navigations or external protocol
   // handlers.
   virtual bool CanCommitURL(int child_id, const GURL& url) = 0;

   // These methods verify whether or not the child process has been granted
   // permissions perform these functions on |file|.

   // Before servicing a child process's request to upload a file to the web, the
   // browser should call this method to determine whether the process has the
   // capability to upload the requested file.
   virtual bool CanReadFile(int child_id, const base::FilePath& file) = 0;
   virtual bool CanCreateReadWriteFile(int child_id,
                                       const base::FilePath& file) = 0;

   // Grants read access permission to the given isolated file system
   // identified by |filesystem_id|. An isolated file system can be
   // created for a set of native files/directories (like dropped files)
   // using storage::IsolatedContext. A child process needs to be granted
   // permission to the file system to access the files in it using
   // file system URL. You do NOT need to give direct permission to
   // individual file paths.
   //
   // Note: files/directories in the same file system share the same
   // permission as far as they are accessed via the file system, i.e.
   // using the file system URL (tip: you can create a new file system
   // to give different permission to part of files).
   virtual void GrantReadFileSystem(int child_id,
                                    const std::string& filesystem_id) = 0;

   // Grants write access permission to the given isolated file system
   // identified by |filesystem_id|.  See comments for GrantReadFileSystem
   // for more details.  You do NOT need to give direct permission to
   // individual file paths.
   //
   // This must be called with a great care as this gives write permission
   // to all files/directories included in the file system.
   virtual void GrantWriteFileSystem(int child_id,
                                     const std::string& filesystem_id) = 0;

   // Grants create file permission to the given isolated file system
   // identified by |filesystem_id|.  See comments for GrantReadFileSystem
   // for more details.  You do NOT need to give direct permission to
   // individual file paths.
   //
   // This must be called with a great care as this gives create permission
   // within all directories included in the file system.
   virtual void GrantCreateFileForFileSystem(
       int child_id,
       const std::string& filesystem_id) = 0;

   // Grants create, read and write access permissions to the given isolated
   // file system identified by |filesystem_id|.  See comments for
   // GrantReadFileSystem for more details.  You do NOT need to give direct
   // permission to individual file paths.
   //
   // This must be called with a great care as this gives create, read and write
   // permissions to all files/directories included in the file system.
   virtual void GrantCreateReadWriteFileSystem(
       int child_id,
       const std::string& filesystem_id) = 0;

   // Grants permission to copy-into filesystem |filesystem_id|. 'copy-into'
   // is used to allow copying files into the destination filesystem without
   // granting more general create and write permissions.
   virtual void GrantCopyIntoFileSystem(int child_id,
                                        const std::string& filesystem_id) = 0;

   // Grants permission to delete from filesystem |filesystem_id|. 'delete-from'
   // is used to allow deleting files into the destination filesystem without
   // granting more general create and write permissions.
   virtual void GrantDeleteFromFileSystem(int child_id,
                                          const std::string& filesystem_id) = 0;

   // Grants the child process the capability to commit URLs with the provided
   // origin. Usage should be extremely rare: the content framework already
   // automatically grants this privilege as needed on successful navigation to a
   // URL.
   // If you think you need this, please reach out to site-isolation-dev@ first.
   virtual void GrantCommitOrigin(int child_id, const url::Origin& origin) = 0;
   //
   // Grants the child process the capability to request URLs with the provided
   // origin.
   virtual void GrantRequestOrigin(int child_id, const url::Origin& origin) = 0;

   // Grants the child process the capability to request URLs of the provided
   // scheme.
   virtual void GrantRequestScheme(int child_id, const std::string& scheme) = 0;

   // Returns true if read access has been granted to |filesystem_id|.
   virtual bool CanReadFileSystem(int child_id,
                                  const std::string& filesystem_id) = 0;

   // Returns true if read and write access has been granted to |filesystem_id|.
   virtual bool CanReadWriteFileSystem(int child_id,
                                       const std::string& filesystem_id) = 0;

   // Returns true if copy-into access has been granted to |filesystem_id|.
   virtual bool CanCopyIntoFileSystem(int child_id,
                                      const std::string& filesystem_id) = 0;

   // Returns true if delete-from access has been granted to |filesystem_id|.
   virtual bool CanDeleteFromFileSystem(int child_id,
                                        const std::string& filesystem_id) = 0;

   // Returns true if the specified child_id has been granted WebUI bindings.
   // The browser should check this property before assuming the child process
   // is allowed to use WebUI bindings.
   virtual bool HasWebUIBindings(int child_id) = 0;

   // Grants permission to send system exclusive message to any MIDI devices.
   virtual void GrantSendMidiSysExMessage(int child_id) = 0;

   // Returns true if the process is permitted to read and modify the data for
   // the origin of |url|. This is currently used to protect data such as
   // cookies, passwords, and local storage. Does not affect cookies attached to
   // or set by network requests.
   //
   // This can only return false for processes locked to a particular origin,
   // which can happen for any origin when the --site-per-process flag is used,
   // or for isolated origins that require a dedicated process (see
   // AddIsolatedOrigin).
   //
   // TODO(lukasza, nasko): https://crbug.com/882053: Convert this method to take
   // url::Origin instead of GURL (so that CanAccessDataForOrigin can verify
   // whether precursor of opaque origins also matches the process lock).
   virtual bool CanAccessDataForOrigin(int child_id, const GURL& url) = 0;
 };

 }  // namespace content

 #endif  // CONTENT_PUBLIC_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_
	// Copyright (c) 2012 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef CONTENT_PUBLIC_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_
	#define CONTENT_PUBLIC_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_

	#include <string>

	#include "content/common/content_export.h"
	#include "url/gurl.h"
	#include "url/origin.h"

	namespace base {
	class FilePath;
	}

	namespace content {

	// The ChildProcessSecurityPolicy class is used to grant and revoke security
	// capabilities for child processes. For example, it restricts whether a child
	// process is permitted to load file:// URLs based on whether the process
	// has ever been commanded to load file:// URLs by the browser.
	//
	// ChildProcessSecurityPolicy is a singleton that may be used on any thread.
	//
	class ChildProcessSecurityPolicy {
	public:
	virtual ~ChildProcessSecurityPolicy() {}

	// There is one global ChildProcessSecurityPolicy object for the entire
	// browser process. The object returned by this method may be accessed on
	// any thread.
	static CONTENT_EXPORT ChildProcessSecurityPolicy* GetInstance();

	// Web-safe schemes can be requested by any child process. Once a web-safe
	// scheme has been registered, any child process can request URLs whose
	// origins use that scheme. There is no mechanism for revoking web-safe
	// schemes.
	//
	// Only call this function if URLs of this scheme are okay to host in
	// any ordinary renderer process.
	//
	// Registering 'your-scheme' as web-safe also causes 'blob:your-scheme://'
	// and 'filesystem:your-scheme://' URLs to be considered web-safe.
	virtual void RegisterWebSafeScheme(const std::string& scheme) = 0;

	// More restrictive variant of RegisterWebSafeScheme; URLs with this scheme
	// may be requested by any child process, but navigations to this scheme may
	// only commit in child processes that have been explicitly granted
	// permission to do so.
	//
	// \|always_allow_in_origin_headers\| controls whether this scheme is allowed to
	// appear as the Origin HTTP header in outbound requests, even if the
	// originating process does not have permission to commit this scheme. This
	// may be necessary if the scheme is used in conjunction with blink's
	// IsolatedWorldSecurityOrigin mechanism, as for extension content scripts.
	virtual void RegisterWebSafeIsolatedScheme(
	const std::string& scheme,
	bool always_allow_in_origin_headers) = 0;

	// Returns true iff \|scheme\| has been registered as a web-safe scheme.
	// TODO(nick): https://crbug.com/651534 This function does not have enough
	// information to render an appropriate judgment for blob and filesystem URLs;
	// change it to accept an URL instead.
	virtual bool IsWebSafeScheme(const std::string& scheme) = 0;

	// This permission grants only read access to a file.
	// Whenever the user picks a file from a <input type="file"> element, the
	// browser should call this function to grant the child process the capability
	// to upload the file to the web. Grants FILE_PERMISSION_READ_ONLY.
	virtual void GrantReadFile(int child_id, const base::FilePath& file) = 0;

	// This permission grants creation, read, and full write access to a file,
	// including attributes.
	virtual void GrantCreateReadWriteFile(int child_id,
	const base::FilePath& file) = 0;

	// This permission grants copy-into permission for \|dir\|.
	virtual void GrantCopyInto(int child_id, const base::FilePath& dir) = 0;

	// This permission grants delete permission for \|dir\|.
	virtual void GrantDeleteFrom(int child_id, const base::FilePath& dir) = 0;

	// Determine whether the process has the capability to request the URL.
	// Before servicing a child process's request for a URL, the content layer
	// calls this method to determine whether it is safe.
	virtual bool CanRequestURL(int child_id, const GURL& url) = 0;

	// Whether the process is allowed to commit a document from the given URL.
	// This is more restrictive than CanRequestURL, since CanRequestURL allows
	// requests that might lead to cross-process navigations or external protocol
	// handlers.
	virtual bool CanCommitURL(int child_id, const GURL& url) = 0;

	// These methods verify whether or not the child process has been granted
	// permissions perform these functions on \|file\|.

	// Before servicing a child process's request to upload a file to the web, the
	// browser should call this method to determine whether the process has the
	// capability to upload the requested file.
	virtual bool CanReadFile(int child_id, const base::FilePath& file) = 0;
	virtual bool CanCreateReadWriteFile(int child_id,
	const base::FilePath& file) = 0;

	// Grants read access permission to the given isolated file system
	// identified by \|filesystem_id\|. An isolated file system can be
	// created for a set of native files/directories (like dropped files)
	// using storage::IsolatedContext. A child process needs to be granted
	// permission to the file system to access the files in it using
	// file system URL. You do NOT need to give direct permission to
	// individual file paths.
	//
	// Note: files/directories in the same file system share the same
	// permission as far as they are accessed via the file system, i.e.
	// using the file system URL (tip: you can create a new file system
	// to give different permission to part of files).
	virtual void GrantReadFileSystem(int child_id,
	const std::string& filesystem_id) = 0;

	// Grants write access permission to the given isolated file system
	// identified by \|filesystem_id\|. See comments for GrantReadFileSystem
	// for more details. You do NOT need to give direct permission to
	// individual file paths.
	//
	// This must be called with a great care as this gives write permission
	// to all files/directories included in the file system.
	virtual void GrantWriteFileSystem(int child_id,
	const std::string& filesystem_id) = 0;

	// Grants create file permission to the given isolated file system
	// identified by \|filesystem_id\|. See comments for GrantReadFileSystem
	// for more details. You do NOT need to give direct permission to
	// individual file paths.
	//
	// This must be called with a great care as this gives create permission
	// within all directories included in the file system.
	virtual void GrantCreateFileForFileSystem(
	int child_id,
	const std::string& filesystem_id) = 0;

	// Grants create, read and write access permissions to the given isolated
	// file system identified by \|filesystem_id\|. See comments for
	// GrantReadFileSystem for more details. You do NOT need to give direct
	// permission to individual file paths.
	//
	// This must be called with a great care as this gives create, read and write
	// permissions to all files/directories included in the file system.
	virtual void GrantCreateReadWriteFileSystem(
	int child_id,
	const std::string& filesystem_id) = 0;

	// Grants permission to copy-into filesystem \|filesystem_id\|. 'copy-into'
	// is used to allow copying files into the destination filesystem without
	// granting more general create and write permissions.
	virtual void GrantCopyIntoFileSystem(int child_id,
	const std::string& filesystem_id) = 0;

	// Grants permission to delete from filesystem \|filesystem_id\|. 'delete-from'
	// is used to allow deleting files into the destination filesystem without
	// granting more general create and write permissions.
	virtual void GrantDeleteFromFileSystem(int child_id,
	const std::string& filesystem_id) = 0;

	// Grants the child process the capability to commit URLs with the provided
	// origin. Usage should be extremely rare: the content framework already
	// automatically grants this privilege as needed on successful navigation to a
	// URL.
	// If you think you need this, please reach out to site-isolation-dev@ first.
	virtual void GrantCommitOrigin(int child_id, const url::Origin& origin) = 0;
	//
	// Grants the child process the capability to request URLs with the provided
	// origin.
	virtual void GrantRequestOrigin(int child_id, const url::Origin& origin) = 0;

	// Grants the child process the capability to request URLs of the provided
	// scheme.
	virtual void GrantRequestScheme(int child_id, const std::string& scheme) = 0;

	// Returns true if read access has been granted to \|filesystem_id\|.
	virtual bool CanReadFileSystem(int child_id,
	const std::string& filesystem_id) = 0;

	// Returns true if read and write access has been granted to \|filesystem_id\|.
	virtual bool CanReadWriteFileSystem(int child_id,
	const std::string& filesystem_id) = 0;

	// Returns true if copy-into access has been granted to \|filesystem_id\|.
	virtual bool CanCopyIntoFileSystem(int child_id,
	const std::string& filesystem_id) = 0;

	// Returns true if delete-from access has been granted to \|filesystem_id\|.
	virtual bool CanDeleteFromFileSystem(int child_id,
	const std::string& filesystem_id) = 0;

	// Returns true if the specified child_id has been granted WebUI bindings.
	// The browser should check this property before assuming the child process
	// is allowed to use WebUI bindings.
	virtual bool HasWebUIBindings(int child_id) = 0;

	// Grants permission to send system exclusive message to any MIDI devices.
	virtual void GrantSendMidiSysExMessage(int child_id) = 0;

	// Returns true if the process is permitted to read and modify the data for
	// the origin of \|url\|. This is currently used to protect data such as
	// cookies, passwords, and local storage. Does not affect cookies attached to
	// or set by network requests.
	//
	// This can only return false for processes locked to a particular origin,
	// which can happen for any origin when the --site-per-process flag is used,
	// or for isolated origins that require a dedicated process (see
	// AddIsolatedOrigin).
	//
	// TODO(lukasza, nasko): https://crbug.com/882053: Convert this method to take
	// url::Origin instead of GURL (so that CanAccessDataForOrigin can verify
	// whether precursor of opaque origins also matches the process lock).
	virtual bool CanAccessDataForOrigin(int child_id, const GURL& url) = 0;
	};

	} // namespace content

	#endif // CONTENT_PUBLIC_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_